[ 40.718478][ T26] audit: type=1800 audit(1554369667.912:25): pid=7738 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="cron" dev="sda1" ino=2414 res=0 [ 40.738871][ T26] audit: type=1800 audit(1554369667.912:26): pid=7738 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2457 res=0 [ 40.767858][ T26] audit: type=1800 audit(1554369667.912:27): pid=7738 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0 [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [....] startpar: service(s) returned failure: rsyslog ssh ...[?25l[?1c7[FAIL8[?25h[?0c failed! Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.134' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 51.890661][ T7913] [ 51.893010][ T7913] ======================================================== [ 51.900427][ T7913] WARNING: possible irq lock inversion dependency detected [ 51.907771][ T7913] 5.1.0-rc3+ #51 Not tainted [ 51.912524][ T7913] -------------------------------------------------------- [ 51.919702][ T7913] syz-executor778/7913 just changed the state of lock: [ 51.926793][ T7913] 00000000104c9ebe (&ctx->fault_pending_wqh){+.+.}, at: userfaultfd_release+0x48e/0x6d0 [ 51.936680][ T7913] but this lock was taken by another, SOFTIRQ-safe lock in the past: [ 51.944787][ T7913] (&(&ctx->ctx_lock)->rlock){..-.} [ 51.944796][ T7913] [ 51.944796][ T7913] [ 51.944796][ T7913] and interrupts could create inverse lock ordering between them. [ 51.944796][ T7913] [ 51.965092][ T7913] [ 51.965092][ T7913] other info that might help us debug this: [ 51.973151][ T7913] Chain exists of: [ 51.973151][ T7913] &(&ctx->ctx_lock)->rlock --> &ctx->fd_wqh --> &ctx->fault_pending_wqh [ 51.973151][ T7913] [ 51.987624][ T7913] Possible interrupt unsafe locking scenario: [ 51.987624][ T7913] [ 51.996025][ T7913] CPU0 CPU1 [ 52.001492][ T7913] ---- ---- [ 52.007054][ T7913] lock(&ctx->fault_pending_wqh); [ 52.012235][ T7913] local_irq_disable(); [ 52.019601][ T7913] lock(&(&ctx->ctx_lock)->rlock); [ 52.027594][ T7913] lock(&ctx->fd_wqh); [ 52.034347][ T7913] [ 52.037823][ T7913] lock(&(&ctx->ctx_lock)->rlock); [ 52.043219][ T7913] [ 52.043219][ T7913] *** DEADLOCK *** [ 52.043219][ T7913] [ 52.051363][ T7913] no locks held by syz-executor778/7913. [ 52.057303][ T7913] [ 52.057303][ T7913] the shortest dependencies between 2nd lock and 1st lock: [ 52.066887][ T7913] -> (&(&ctx->ctx_lock)->rlock){..-.} { [ 52.072595][ T7913] IN-SOFTIRQ-W at: [ 52.076751][ T7913] lock_acquire+0x16f/0x3f0 [ 52.083291][ T7913] _raw_spin_lock_irq+0x60/0x80 [ 52.090254][ T7913] free_ioctx_users+0x2d/0x4a0 [ 52.097716][ T7913] percpu_ref_switch_to_atomic_rcu+0x3e7/0x520 [ 52.105852][ T7913] rcu_core+0x928/0x1390 [ 52.112246][ T7913] __do_softirq+0x266/0x95a [ 52.118958][ T7913] irq_exit+0x180/0x1d0 [ 52.125094][ T7913] smp_apic_timer_interrupt+0x14a/0x570 [ 52.132616][ T7913] apic_timer_interrupt+0xf/0x20 [ 52.139528][ T7913] native_safe_halt+0x2/0x10 [ 52.146098][ T7913] arch_cpu_idle+0x10/0x20 [ 52.152593][ T7913] default_idle_call+0x36/0x90 [ 52.159468][ T7913] do_idle+0x386/0x570 [ 52.165536][ T7913] cpu_startup_entry+0x1b/0x20 [ 52.172344][ T7913] rest_init+0x245/0x37b [ 52.178638][ T7913] arch_call_rest_init+0xe/0x1b [ 52.185537][ T7913] start_kernel+0x816/0x84f [ 52.192163][ T7913] x86_64_start_reservations+0x29/0x2b [ 52.199613][ T7913] x86_64_start_kernel+0x77/0x7b [ 52.206537][ T7913] secondary_startup_64+0xa4/0xb0 [ 52.213549][ T7913] INITIAL USE at: [ 52.217657][ T7913] lock_acquire+0x16f/0x3f0 [ 52.224410][ T7913] _raw_spin_lock_irq+0x60/0x80 [ 52.231301][ T7913] io_submit_one+0xaec/0x2f90 [ 52.237896][ T7913] __x64_sys_io_submit+0x1bd/0x580 [ 52.245593][ T7913] do_syscall_64+0x103/0x610 [ 52.252405][ T7913] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 52.260329][ T7913] } [ 52.263001][ T7913] ... key at: [] __key.52649+0x0/0x40 [ 52.270948][ T7913] ... acquired at: [ 52.274939][ T7913] lock_acquire+0x16f/0x3f0 [ 52.279593][ T7913] _raw_spin_lock+0x2f/0x40 [ 52.284364][ T7913] io_submit_one+0xb31/0x2f90 [ 52.289727][ T7913] __x64_sys_io_submit+0x1bd/0x580 [ 52.295681][ T7913] do_syscall_64+0x103/0x610 [ 52.300633][ T7913] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 52.307083][ T7913] [ 52.309393][ T7913] -> (&ctx->fd_wqh){....} { [ 52.314300][ T7913] INITIAL USE at: [ 52.318309][ T7913] lock_acquire+0x16f/0x3f0 [ 52.324552][ T7913] _raw_spin_lock_irq+0x60/0x80 [ 52.331157][ T7913] userfaultfd_read+0x27a/0x1940 [ 52.337903][ T7913] __vfs_read+0x8d/0x110 [ 52.343934][ T7913] vfs_read+0x194/0x3e0 [ 52.349912][ T7913] ksys_read+0xea/0x1f0 [ 52.355784][ T7913] __x64_sys_read+0x73/0xb0 [ 52.362007][ T7913] do_syscall_64+0x103/0x610 [ 52.368333][ T7913] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 52.375934][ T7913] } [ 52.378505][ T7913] ... key at: [] __key.45459+0x0/0x40 [ 52.386634][ T7913] ... acquired at: [ 52.400887][ T7913] lock_acquire+0x16f/0x3f0 [ 52.405550][ T7913] _raw_spin_lock+0x2f/0x40 [ 52.410214][ T7913] userfaultfd_read+0x540/0x1940 [ 52.415318][ T7913] __vfs_read+0x8d/0x110 [ 52.419726][ T7913] vfs_read+0x194/0x3e0 [ 52.424048][ T7913] ksys_read+0xea/0x1f0 [ 52.428368][ T7913] __x64_sys_read+0x73/0xb0 [ 52.433031][ T7913] do_syscall_64+0x103/0x610 [ 52.437782][ T7913] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 52.443946][ T7913] [ 52.446293][ T7913] -> (&ctx->fault_pending_wqh){+.+.} { [ 52.451735][ T7913] HARDIRQ-ON-W at: [ 52.455705][ T7913] lock_acquire+0x16f/0x3f0 [ 52.461845][ T7913] _raw_spin_lock+0x2f/0x40 [ 52.468103][ T7913] userfaultfd_release+0x48e/0x6d0 [ 52.474951][ T7913] __fput+0x2e5/0x8d0 [ 52.480565][ T7913] ____fput+0x16/0x20 [ 52.486181][ T7913] task_work_run+0x14a/0x1c0 [ 52.492406][ T7913] do_exit+0x90a/0x2fa0 [ 52.498208][ T7913] do_group_exit+0x135/0x370 [ 52.504443][ T7913] get_signal+0x399/0x1d50 [ 52.510592][ T7913] do_signal+0x87/0x1940 [ 52.516479][ T7913] exit_to_usermode_loop+0x244/0x2c0 [ 52.523409][ T7913] do_syscall_64+0x52d/0x610 [ 52.529764][ T7913] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 52.537681][ T7913] SOFTIRQ-ON-W at: [ 52.541658][ T7913] lock_acquire+0x16f/0x3f0 [ 52.547948][ T7913] _raw_spin_lock+0x2f/0x40 [ 52.554468][ T7913] userfaultfd_release+0x48e/0x6d0 [ 52.561605][ T7913] __fput+0x2e5/0x8d0 [ 52.567341][ T7913] ____fput+0x16/0x20 [ 52.573071][ T7913] task_work_run+0x14a/0x1c0 [ 52.579570][ T7913] do_exit+0x90a/0x2fa0 [ 52.585603][ T7913] do_group_exit+0x135/0x370 [ 52.592038][ T7913] get_signal+0x399/0x1d50 [ 52.598673][ T7913] do_signal+0x87/0x1940 [ 52.605074][ T7913] exit_to_usermode_loop+0x244/0x2c0 [ 52.612147][ T7913] do_syscall_64+0x52d/0x610 [ 52.618383][ T7913] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 52.626151][ T7913] INITIAL USE at: [ 52.630046][ T7913] lock_acquire+0x16f/0x3f0 [ 52.636260][ T7913] _raw_spin_lock+0x2f/0x40 [ 52.642358][ T7913] userfaultfd_read+0x540/0x1940 [ 52.648852][ T7913] __vfs_read+0x8d/0x110 [ 52.654660][ T7913] vfs_read+0x194/0x3e0 [ 52.661413][ T7913] ksys_read+0xea/0x1f0 [ 52.667895][ T7913] __x64_sys_read+0x73/0xb0 [ 52.674130][ T7913] do_syscall_64+0x103/0x610 [ 52.680299][ T7913] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 52.687738][ T7913] } [ 52.690234][ T7913] ... key at: [] __key.45456+0x0/0x40 [ 52.697989][ T7913] ... acquired at: [ 52.701786][ T7913] mark_lock+0x427/0x1380 [ 52.706276][ T7913] __lock_acquire+0x1317/0x3fb0 [ 52.711289][ T7913] lock_acquire+0x16f/0x3f0 [ 52.715951][ T7913] _raw_spin_lock+0x2f/0x40 [ 52.720618][ T7913] userfaultfd_release+0x48e/0x6d0 [ 52.725885][ T7913] __fput+0x2e5/0x8d0 [ 52.730021][ T7913] ____fput+0x16/0x20 [ 52.734185][ T7913] task_work_run+0x14a/0x1c0 [ 52.739084][ T7913] do_exit+0x90a/0x2fa0 [ 52.743399][ T7913] do_group_exit+0x135/0x370 [ 52.748273][ T7913] get_signal+0x399/0x1d50 [ 52.753067][ T7913] do_signal+0x87/0x1940 [ 52.757470][ T7913] exit_to_usermode_loop+0x244/0x2c0 [ 52.763006][ T7913] do_syscall_64+0x52d/0x610 [ 52.767761][ T7913] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 52.773840][ T7913] [ 52.776153][ T7913] [ 52.776153][ T7913] stack backtrace: [ 52.782469][ T7913] CPU: 0 PID: 7913 Comm: syz-executor778 Not tainted 5.1.0-rc3+ #51 [ 52.790646][ T7913] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 52.800691][ T7913] Call Trace: [ 52.803974][ T7913] dump_stack+0x172/0x1f0 [ 52.808289][ T7913] print_irq_inversion_bug.part.0+0x2c0/0x2cd [ 52.814473][ T7913] check_usage_backwards.cold+0x1d/0x26 [ 52.820255][ T7913] ? print_shortest_lock_dependencies+0x90/0x90 [ 52.826875][ T7913] ? save_stack_trace+0x1a/0x20 [ 52.831734][ T7913] mark_lock+0x427/0x1380 [ 52.836055][ T7913] ? print_shortest_lock_dependencies+0x90/0x90 [ 52.842305][ T7913] __lock_acquire+0x1317/0x3fb0 [ 52.847182][ T7913] ? trace_hardirqs_off+0x62/0x220 [ 52.852289][ T7913] ? kasan_check_read+0x11/0x20 [ 52.857126][ T7913] ? mark_held_locks+0xf0/0xf0 [ 52.861975][ T7913] ? save_stack+0xa9/0xd0 [ 52.866291][ T7913] ? save_stack+0x45/0xd0 [ 52.870640][ T7913] ? __kasan_slab_free+0x102/0x150 [ 52.876055][ T7913] ? kasan_slab_free+0xe/0x10 [ 52.881239][ T7913] ? kmem_cache_free+0x86/0x260 [ 52.886174][ T7913] ? free_fs_struct+0x4f/0x70 [ 52.891196][ T7913] ? exit_fs+0xf0/0x130 [ 52.895340][ T7913] lock_acquire+0x16f/0x3f0 [ 52.899934][ T7913] ? userfaultfd_release+0x48e/0x6d0 [ 52.905298][ T7913] _raw_spin_lock+0x2f/0x40 [ 52.909927][ T7913] ? userfaultfd_release+0x48e/0x6d0 [ 52.915418][ T7913] userfaultfd_release+0x48e/0x6d0 [ 52.920685][ T7913] ? userfaultfd_wake_function+0x2f0/0x2f0 [ 52.926484][ T7913] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 52.933123][ T7913] ? ima_file_free+0xc9/0x4a0 [ 52.938229][ T7913] ? __might_sleep+0x95/0x190 [ 52.942899][ T7913] ? userfaultfd_wake_function+0x2f0/0x2f0 [ 52.948683][ T7913] __fput+0x2e5/0x8d0 [ 52.952835][ T7913] ____fput+0x16/0x20 [ 52.956799][ T7913] task_work_run+0x14a/0x1c0 [ 52.961681][ T7913] do_exit+0x90a/0x2fa0 [ 52.965867][ T7913] ? get_signal+0x331/0x1d50 [ 52.970482][ T7913] ? mm_update_next_owner+0x640/0x640 [ 52.975847][ T7913] ? kasan_check_write+0x14/0x20 [ 52.980904][ T7913] ? _raw_spin_unlock_irq+0x28/0x90 [ 52.986177][ T7913] ? get_signal+0x331/0x1d50 [ 52.990757][ T7913] ? _raw_spin_unlock_irq+0x28/0x90 [ 52.995963][ T7913] do_group_exit+0x135/0x370 [ 53.000542][ T7913] get_signal+0x399/0x1d50 [ 53.005032][ T7913] ? __x64_sys_io_submit+0x31f/0x580 [ 53.010432][ T7913] do_signal+0x87/0x1940 [ 53.014671][ T7913] ? lock_downgrade+0x880/0x880 [ 53.019954][ T7913] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 53.026199][ T7913] ? kasan_check_read+0x11/0x20 [ 53.031049][ T7913] ? setup_sigcontext+0x7d0/0x7d0 [ 53.036067][ T7913] ? exit_to_usermode_loop+0x43/0x2c0 [ 53.041529][ T7913] ? do_syscall_64+0x52d/0x610 [ 53.046281][ T7913] ? exit_to_usermode_loop+0x43/0x2c0 [ 53.051675][ T7913] ? lockdep_hardirqs_on+0x418/0x5d0 [ 53.056954][ T7913] ? trace_hardirqs_on+0x67/0x230 [ 53.062158][ T7913] exit_to_usermode_loop+0x244/0x2c0 [ 53.067426][ T7913] do_syscall_64+0x52d/0x610 [ 53.072127][ T7913] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 53.078303][ T7913] RIP: 0033:0x4458d9 [ 53.082190][ T7913] Code: Bad RIP value. [ 53.086242][ T7913] RSP: 002b:00007fe56f50ddb8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca [ 53.094669][ T7913] RAX: fffffffffffffe00 RBX: 00000000006dac58 RCX: 00000000004458d9